10.3 Insufficient Monitoring & Logging Lab Instructions Part 2
12 hours 9 minutes
Hey, everyone, welcome back to the course. So in the last video, we went ahead and started our brute force attack with the tool called Hydra. So if you remember, we talked that long command in, and we went ahead and ran it. Now again, if you got another message when you ran the command, you'll want to make sure you typed everything correctly and then try to run it again
once you've done so. Well, once a command is finished, then we want to answer a question number one here. So, do you see any passwords in the outputs? If we look at the output here after we ran the command, do we see any passwords in there?
All right, so on my end, I do. Right. So I see admin passes a password right here. And also see that it's notated. Hey, one valid password has been found.
Let's go back to our lab document here.
So the next thing we're gonna do is we're actually gonna launch Firefox. So if you remember, we were brute, forcing the log in page. We're gonna go ahead and launch fire fox, and we'll take a look at the log in Firefox. So go ahead and launch. Firefox is gonna be this top orange and white colored icon here on the left. It's going and click on that. It might take a moment so far to pull up for us.
Once it does. As I mentioned, we're gonna select the view log option at the top of right of the page on. Then that'll show us what the log is actually saying. Now, if you get this air messages we've seen in previous labs, just click on them. You kill a day, I can hear the top left, and that will refresh the page and you'll be good to go.
So you see it. Refresh the page for me. So now all we want to do is click the view logs. So here it is at the top, right.
That's gonna show us the log files so you'll see all sorts of information there.
All right, so question number two here, Do you see any log information that shows the password attack that we just did with Hydra?
So do you see anything in here that that indicates there was a passenger attack with hydra?
All right, Well, it's pretty easy right, cause we see hydrant parentheses. So the answer to that is of course, yes. That was pretty pretty easy question to get our. So what else do you see in question number three. And then also, in your opinion, is there sufficient monitoring going on?
So I'm actually gonna answer these for you. I want you to pause the video now and ask him yourself. But then restart the video and I'll answer before you. So I'm just gonna continue on and answer those questions.
So the other things that I see I see several i p addresses. The other thing that I see is
I see the times here. Right? So I see the times that all these things came through all these attempts that logging in, uh, and I see the failure messages.
Ah, lot of failure. Messages of like, Hey, you didn't work. You know, I see,
uh, all these attempts to log in I see the times, et cetera. So
if I'm looking at this, I can easily, you know, aside from taking away the word hydra, which tells us that the password cracker, but looking at just looking at the log without hydra in there and all I can look and see like, Well, these things happen probably within seconds of each other. All these love and attempts. So it's an automated attack. Someone's trying to brute force the password.
Now, getting a question number four if you remember questioning before it was due, Do you think so? In your opinion, Or in this case, I'm gonna give my opinion. Do you think that there's sufficient monitoring going up? My opinion has no right. So why? Why should an attacker be able to do this? Many attempts at logging in without the account being locked out. Right. So
I don't see anything indicating here that
Hey, you know X number of tests were tried. The count's locked out. There's nothing in this log that shows me that it just shows me a bunch of failed log in attempts until the logging attempt was successful.
that's what we're looking for here, right in the log files were looking to see Number one. What's in the log file? Is it showing us there's an attack or something like that? So in this case, we do have a pretty good monitoring to some extent because we're able to see that, Yes, there was an attack and, you know yes. Here's, um you know, timestamp information on when the attack actually happened.
But then the flip side of that is we don't have sufficient monitoring, right? So we don't have
systems in place that will block this type of attack or lock out an account if there's too many failed log in attempts. And also, there's no alert, at least that we can see from this. That's going to like, you know, admin or something, saying, Hey, by the way, somebody's, you know, trying to brute force your website. You know, your log in page on the web site.
You need to do something about it. All right. There's no alert system in place, at least that we can tell from
from the data we have right now. So
we will call this a failure, right? We'll call this a failure on the aspect of monitoring. Then, of course, the log file could be a little more in depth as well, but at least it from the monitoring standpoint, this organization would be feeling the bar so they would wanna they would want to explore putting things in place where they can actually monitor what's going on. And they're not working on their systems
on that way. They can hopefully prevent her mitigate at least a good majority of issues.
All right, so in this lab, we just wrapped up our discussion on insufficient logging in monitoring Asai mentioned in the next video. I'm just going to show you the Capstone lab again. I'm not going to walk you through it. And I'm also not going to be providing a step by step guide for it simply because I actually want you to do it. I don't want you to have the easy answers. I want you to actually do it, get the hands on for it.
And that way, you know, again this course of kind intended for a broad audience. That way, if you're more technical, you know someone administrative stuff,
and you need to actually get the skills. Then that helps you get the skills. If you're just, you know, like if you're working in, like, sales or something, this is just one of those requirements your employer makes you do. Then you may not need the hands on experience, so you may not need to do the capstone project. So again, we're just gonna show you the lab, the Capstone lab.
I'm not gonna walk you through it. I'm also not going to provide a step by step guide for it. But that will be in the next video. And then after that, we'll wrap up the course.